-
Notifications
You must be signed in to change notification settings - Fork 313
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Informational RustSec Advisory Presentation #683
Comments
Hey @pinkforest 👋 Sorry for the delayed reply. Are you referring to the |
Yes correct - We've been thinking of standardising it and making it more machine readable and something that we can dynamically update outside advisory w/ There is also sometimes context relevant / specific information around the major dependencies / transient dependencies who would need to bump up in between. Also something we've thought e.g. |
Gotcha. The machine readable alternatives is an interesting idea. At the moment we avoid suggesting alternatives to avoid the quagmire of edge cases that follow. In this case we really shouldn't have broadcasted |
e.g. ansi_term we provided informational advisory: https://rustsec.org/advisories/RUSTSEC-2021-0139.html
But GHSA has different intepretation / representation: GHSA-74w3-p89x-ffgh
It's an advisory as others but it should be represented in canonical way as RustSec database implicitly intended.
Informational advisories do have security related concerns but these are nonetheless different to regular advisories -
It is database specific OSV attribute:
Problem is GHSA / Dependabot as of now does not take into account of different advisory types as canonical representation.
GHSA / Dependabot also assumes "Critical" severity which is incorrect when we don't even flag CVSS for these -
We had a dicussion about it here:
https://rust-lang.zulipchat.com/#narrow/stream/146229-wg-secure-code/topic/github.20advisory.20flags.20as.20critical/near/299276275
Also I see that GHSA / Dependabot omits the provided actionable advice that is helpful to anyone intepreting these advisories - nonetheless it does link to the original RUSTSEC advisory but I think Dependabot should include this actionable "fix" - if any given people might be just fine using unmaintained - for any given time - based on what ever individual / project opinion they hold as to whether to migrate or not.
I've raised another issue about the omitting actionable advice: #684
The text was updated successfully, but these errors were encountered: